Laravel 5-POST路由上的htaccess HTTPS重定向不起作用. [英] Laravel 5 - htaccess HTTPS redirect on post routes doesn't work.
问题描述
我有一个使用Laravel 5充当API的应用程序.我的.htaccess文件中包含以下内容,用于将所有路由重定向到https:
I have an application built with Laravel 5 acting as an API. I have the following in my .htaccess file to redirect all routes to https:
RewriteEngine On
# Force SSL
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
此功能适用于以下情况:
This works fine for the following:
但是如果我尝试使用http访问它,则会抛出MethodNotAllowedHttpException.它正确地重定向到https,但是似乎不正确地跟随POST请求,因为我的所有路由都只允许POST.
but throws a MethodNotAllowedHttpException if i try to access it with http. It correctly redirects to https, but seems to be not correctly following with the POST request, since all my routes only allow POST.
是否可以在不更改允许GET的情况下解决此问题?
Is there any way to fix this without changing my routes to allow GET as well?
推荐答案
为了强制执行https,需要您的RewriteRule强制进行外部重定向.对于您的规则,您将强制执行301重定向(R=301).大多数浏览器和客户端都设计为自动遵循重定向,但是它们(错误地)通过GET请求来实现.
In order to force https, your RewriteRule is required to force an external redirect. In the case of your rule, you're forcing a 301 redirect (R=301). Most browsers and clients are designed to automatically follow redirects, but they (incorrectly) do so with a GET request.
因此,当客户端将带有数据的POST请求发送到http://example.com/route时,您的服务器将响应301重定向到https://example.com/route,然后客户端发出GET请求,而没有将数据发送到新URL.如您所见,您不能仅更改路由来接受GET请求,因为原始POST请求中发送的数据将被丢弃.
So, when a client sends a POST request with data to http://example.com/route, your server responds with a 301 redirect to https://example.com/route, and then the client makes a GET request without the data to the new URL. As you can see, you can't just change your routes to accept GET requests as well, because the data sent in the original POST request will be dropped.
一种选择是添加重写条件以不重定向POST请求:
One option would be to add a rewrite condition to not redirect POST requests:
# Force SSL
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_METHOD} !=POST
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
但是,这几乎违背了您要实现的目标.整个概念是在所有地方强制使用https.除非在将数据发布到应用程序中时,否则在任何地方强制执行它都是很愚蠢的.
However, this pretty much defeats the purpose of what you're attempting to accomplish. This whole concept is to force https everywhere. It would be silly to enforce it everywhere except when POSTing data to your application.
另一个可能的选择是将您的301重定向更改为307重定向.即使不应该为301/302重定向更改客户端的请求方法,但由于规范和现有功能的歧义,大多数客户端还是这样做.因此,添加了307,其具体思想是:如果使用此状态码,则不得更改请求方法.但是,307被归类为临时重定向",因此它不会被缓存并且可能会影响您的SEO.此外,此状态已添加到HTTP/1.1规范中,因此您可能会遇到一些不知道如何处理307的客户端.
Another possible option would be to change your 301 redirect to a 307 redirect. Even though clients aren't supposed to change the request method for 301/302 redirects, most clients do due to ambiguity in the specs and existing functionality. Because of this, 307 was added with the specific idea that if this status code is used, the request method MUST NOT be changed. However, 307 is classified as a "temporary redirect", so it won't be cached and may affect your SEO. Additionally, this status was added in the HTTP/1.1 spec, so you may run into some clients that don't know how to process a 307.
您最好的选择可能只是拒绝不安全的POST请求.或者,将它们重定向到错误页面,解释您不接受非安全的POST请求.
Your best option is probably just to reject non-secure POST requests. Or, redirect them to an error page explaining you don't accept non-secure POST requests.
RewriteEngine On
# Forbid non-secure POSTs
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_METHOD} =POST
RewriteRule ^ / [F,L]
# Force SSL
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
这篇关于Laravel 5-POST路由上的htaccess HTTPS重定向不起作用.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
